Last updated: 7th June 2026

Heather Rose (“we”, “us”, “our”) is registered in England at 7 Boundary Edge, Edenfield, Bury, BL0 0GX. We are committed to protecting your personal data and handling it responsibly in accordance with UK GDPR and the Data Protection Act 2018.

This policy explains what data we collect, why we collect it, who we share it with, and your rights.

What Data We Collect

When You Place an Order

When you purchase a product or service through our website, we collect:

• Your name and email address

• Billing address

• Shipping address (for physical products)

• Phone number (for physical product deliveries)

• Details of the products or services purchased

• Payment references provided by Stripe (we do not store your card details — see Stripe below)

When You Take a Payment Plan

If you purchase via a payment plan, we additionally store a Stripe customer reference and payment method reference to enable automatic future instalments to be charged. Your actual card details are held securely by Stripe and are never stored on our servers.

When You Contact Us

If you submit an enquiry via our contact form, we collect your name, email address, and the content of your message.

When You Visit Our Website

We use a secure, encrypted session cookie (“heatherrose_session”) solely for admin account authentication. This cookie is not set for general website visitors or customers. We do not use tracking cookies, analytics cookies, or advertising cookies.

How We Use Your Data

We use your personal data to:

• Process and fulfil your order

• Send you order confirmations, receipts, and invoices by email

• Arrange delivery of physical products

• Manage payment plan instalments and notify you of payment outcomes

• Respond to enquiries and provide customer support

• Meet our legal obligations (e.g. financial record-keeping)

We do not use your data for marketing unless you have separately opted in to receive marketing communications from us.

Who We Share Your Data With

Stripe

All payments are processed by Stripe Payments Europe Ltd. When you check out, your payment details and billing information are passed to Stripe. For payment plans, Stripe retains your payment method to process future instalments. Stripe is PCI DSS compliant. Their privacy policy is available at stripe.com/gb/privacy.

Royal Mail (Click & Drop)

For orders involving physical products, your name, delivery address, email address, phone number, and order details may be shared with Royal Mail via their Click & Drop service for the purpose of generating a shipping label and tracking your parcel. Royal Mail’s privacy policy is available at royalmail.com/privacy-policy.

Email Provider

We send transactional emails (order confirmations, invoices, despatch notifications) via a third-party SMTP provider. These emails contain your name, email address, and order details as necessary to fulfil the communication.

Push Notifications (Admin Only)

We use Pushover to send internal admin notifications about new orders. These notifications include your order number, name, and order summary. This data is not used for any other purpose.

How Long We Keep Your Data

We retain order records (including your name, address, and order details) for as long as necessary to fulfil our legal and financial obligations, and in any event for a minimum of 6 years in accordance with HMRC requirements.

Contact form enquiries are retained only as long as necessary to respond to and resolve your enquiry.

Admin session cookies expire after 7 days of inactivity.

Your Rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you

• Rectification — ask us to correct inaccurate or incomplete data

• Erasure — ask us to delete your data where we no longer have a lawful basis to hold it

• Restriction — ask us to restrict processing of your data in certain circumstances

• Portability — receive your data in a structured, machine-readable format

• Object — object to processing based on legitimate interests

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. All data is stored in a secured database. Passwords are stored as one-way hashed values. Payment processing is handled entirely by Stripe and is fully PCI DSS compliant.

Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies.

Changes to This Policy

We may update this policy from time to time. The “Last updated” date at the top of this page will reflect any changes. Continued use of our website after changes are posted constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact:

Heather Rose
7 Boundary Edge, Edenfield
Bury, BL0 0GX
United Kingdom
Email: [email protected]
Phone: +44 (0)7967 211 485